Blogs

Events

Stories

Attention: RHN Hosted will reach the end of its service life on July 31, 2017.
Customers will be required to migrate existing systems to Red Hat Subscription Management prior to this date.
Learn more here

Details

JBoss Enterprise Web Server 1.0.1 is now available for Red Hat EnterpriseLinux 4 and 5.

This update has been rated as having low security impact by the Red HatSecurity Response Team.

JBoss Enterprise Web Server is a fully integrated and certified setof components for hosting Java web applications. It is comprised of theindustry's leading web server (Apache HTTP Server), the popular ApacheTomcat servlet container, as well as the mod_jk connector and the TomcatNative library.

This 1.0.1 release of JBoss Enterprise Web Server serves as a replacementto JBoss Enterprise Web Server 1.0.0 GA. These updated packages includea number of bug fixes. For detailed component, installation, and bug fixinformation, refer to the JBoss Enterprise Web Server 1.0.1 Release Notes,available shortly from the link in the References section of this erratum.

The following security issues are also fixed with this release:

A directory traversal flaw was found in the Tomcat deployment process. Anattacker could create a specially-crafted WAR file, which once deployedby a local, unsuspecting user, would lead to attacker-controlled contentbeing deployed outside of the web root, into directories accessible to theTomcat process. (CVE-2009-2693)

A second directory traversal flaw was found in the Tomcat deploymentprocess. WAR file names were not sanitized, which could allow an attackerto create a specially-crafted WAR file that could delete files in theTomcat host's work directory. (CVE-2009-2902)

A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handle session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. (CVE-2009-3555)

This update provides a mitigation for this flaw in the followingcomponents:

tomcat5 and tomcat6: A new attribute, allowUnsafeLegacyRenegotiation, isavailable for the blocking IO (BIO) connector using JSSE, to enable ordisable TLS session renegotiation. The default value is "false", meaningsession renegotiation, both client- and server-initiated, is disabled bydefault.

tomcat-native: Client-initiated renegotiation is now rejected by the nativeconnector. Server-initiated renegotiation is still allowed.